tools: add admin-reset and notif-diag operational CLIs

Two small Go CLIs for production ops that previously required ad-hoc
psql or kubectl gymnastics. Both load DB credentials from prod.env-style
env vars and read POSTGRES_PASSWORD from deploy/secrets/postgres_password.txt
by default, so the workflow is `set -a && source deploy/prod.env && set +a`
followed by go run.

cmd/admin-reset/main.go:
  --list                  print all admin_users rows
  --verify --email X      bcrypt-check a password against the stored hash
                          using the same case-insensitive lookup the live
                          /api/admin/auth/login endpoint uses
  --new-email Y           rename an admin's email (with unique-index check)
  default (--email X)     prompt for a new password twice (no echo, min 12
                          chars), bcrypt at DefaultCost, update the row

cmd/notif-diag/main.go:
  default                 print pending/sent counts, breakdown by type and
                          age, the 5 most recent pending rows with their
                          error_message, and registered APNs/FCM device
                          counts
  --mark-failed-as-sent   cosmetic cleanup — UPDATE pending rows that have
                          a recorded error to sent=true,
                          sent_at=COALESCE(updated_at, NOW())
  --yes                   skip the interactive confirmation prompt

Both bypass internal/config.Load() entirely so they don't need
SECRET_KEY or other unrelated env vars to run. .gitignore excludes the
build artifacts at /admin-reset and /notif-diag.

go.mod adds golang.org/x/term v0.41.0 (promoted from indirect to direct)
for no-echo password input in admin-reset.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -8,6 +8,8 @@ bin/
 /api
 /worker
 /admin
+/admin-reset
+/notif-diag
 !admin/
 *.exe
 *.exe~